Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

af224d0e86...18.exe

windows7-x64

9

af224d0e86...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    98s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/08/2024, 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af224d0e8636feb5e8f624df182f80eb_JaffaCakes118.exe

  • Size

    198KB

  • MD5

    af224d0e8636feb5e8f624df182f80eb

  • SHA1

    76c5fe7e802b2f7658b591deca4e3c5bd0094715

  • SHA256

    628c9217579bcbf7f38ce88f2cd2ed15bf61b01bfa77f64a96da8df4ffa9341c

  • SHA512

    868f01a07300c1b1ecef8395e1be146022eddb137024b05cacbec1c0b33b7b89761565bcfbc5b31edf346e203bf59cbe572880bd6ad0f6e74e1b97d059b07435

  • SSDEEP

    3072:e0XgglDdw7QCc5luhAsSpjRzzPgGqhTot9u1AGnhI5h9TGJfnlfVKKm1S:e0XgSj5wKFJPmh8TPGnho0Jflt

Score
7/10
discoverypersistencespywarestealerupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in System32 directory 53 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\af224d0e8636feb5e8f624df182f80eb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\af224d0e8636feb5e8f624df182f80eb_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Windows\SysWOW64\LOVE4u.exe
      "C:\Windows\system32\LOVE4u.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      PID:2960
    • C:\Windows\SysWOW64\LoveVirus.exe
      "C:\Windows\system32\LoveVirus.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2344
    • C:\Windows\SysWOW64\fff.exe
      "C:\Windows\system32\fff.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:112
    • C:\Windows\SysWOW64\WormVirus.exe
      "C:\Windows\system32\WormVirus.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4236
    • C:\Windows\SysWOW64\vip.exe
      "C:\Windows\system32\vip.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4508
    • C:\Windows\1.exe
      "C:\Windows\1.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\Users\Admin\AppData\Local\Temp\BFD5.tmp\b2e.exe
        "C:\Users\Admin\AppData\Local\Temp\BFD5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BFD5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Windows\1.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1844
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C0A0.tmp\batchfile.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1836
          • C:\Windows\SysWOW64\attrib.exe
            attrib -h -r c:\autoexec.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2720
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3160
    • C:\Windows\2.exe
      "C:\Windows\2.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\Users\Admin\AppData\Local\Temp\BFF4.tmp\b2e.exe
        "C:\Users\Admin\AppData\Local\Temp\BFF4.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\BFF4.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Windows\2.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C0CF.tmp\batchfile.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4644
          • C:\Windows\SysWOW64\attrib.exe
            attrib -h -r c:\autoexec.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:3800
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel1.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BFD5.tmp\b2e.exe
    Filesize

    8KB

    MD5

    db2878396d4c9d168c3657f523ce07e8

    SHA1

    174d115dae21a706673483a73ecca947a2c61cd2

    SHA256

    14b18fc014c49b97b631eb43d6063f7859c4bf7bbc5553b038a2a7a7b2281a82

    SHA512

    c3c3a54261e5b1d244bd46d72173e538561958caf44cfdeee3de5338e34761279b94e4a1fd5dd459079aa8ee4e335eff7b247fdfbf05f4d4fbf3dd88c4e44d3c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\BFF4.tmp\b2e.exe
    Filesize

    8KB

    MD5

    8081fcfccf21cf64bf9a190cd4de44cc

    SHA1

    3da77d50d6435b02660a70504eaede19fe26c633

    SHA256

    2a0d826b9eb367b2a338312fe05959fa11e2df5d2067334f6cc068575b94fa2a

    SHA512

    23a4d311851306a5e5a1427e793ecbce2d28be1d17f5ea200270f543122c497565558c9378460b333e7de165b77e1efecba887b2291f2bbf2b6ce1d5cffbf15e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\C0A0.tmp\batchfile.bat
    Filesize

    265B

    MD5

    01bbc1f6308d79dc79da52cd3749d3cf

    SHA1

    8c8ed4619e0f6a6ffe17a76df1a7f5c6c04dc1ba

    SHA256

    0167e13d63c785ef0b9c9a1a4e5dbd86fb80148c39f0f912cb269b83bcfe5bdc

    SHA512

    3a3f7a878c007e548702b0b139f5f9d99be662760a345834c0f39c541c1c680a3079d85b3d715b7c07db09a836c2e444687420e7d19fb5a2b7507ade7fa4a351

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\C0CF.tmp\batchfile.bat
    Filesize

    345B

    MD5

    517a286127745a46819221cb74d36168

    SHA1

    1525e612e1abc3e07897fb6573d9ba8281a96c52

    SHA256

    a755b57f7a1265441f3325a5ecc7a9dc49695a8fffc43fa0632c570638234287

    SHA512

    4dd8327f95895753dc06b01b7fe943b97573ef9400aadd0dfa89c1f76f0f20555962aacaa9730fa8bdab02a59b7f8cf41054eec576120cae6e882c287d77b17c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\selfdel0.bat
    Filesize

    158B

    MD5

    bd3877f6553d0b2bcb649fdc22cd37d1

    SHA1

    5e07894dce483ef172d994de0fbd33793c1755b4

    SHA256

    8e7b3e6b80c919a2530040db0de1fcfa887ff7a244d6a0ae3e01d17dce65928b

    SHA512

    5f626a2a8101efff483914482d84d6effeb14dd64953fea4fa8d414e32f085ae22258c78994c59719f6d7031df9cf617a7347e6baf43d7f6a82777679b4fe9c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\selfdel1.bat
    Filesize

    158B

    MD5

    0853141a215a30317b8e5f041fc283c4

    SHA1

    b48272d710fc5114e79638ff4f97a082f673f088

    SHA256

    59f17ea5487de08edc7b1b404c4105e2e20caef1c5e87f0d0bf2c80b53b6cc93

    SHA512

    beac12eaf6c57b9399670935340ed44a26be05c05912b8de253b394cf62e7288e1d66b337fe57f078c10c0a3e47e516e60dde22faf55abe5bef7997678325b2e

    Download Submit

  • C:\Windows\1.exe
    Filesize

    8KB

    MD5

    2499703fb73e7ee1d5013941aec2464b

    SHA1

    b4925297fbe87d41f3bd13657ac61bcfe4601272

    SHA256

    3ebeeb07bc6b1aeccbea1d5b6e3c9f5a6836c61bd0879e9d30d459c5405a74a0

    SHA512

    b5089e816545972792d45c71d51d9d0b9467b804ed11dd17f62c3911dafef9618960f889f2f6e1673c1a8122bd826b9d88d264ef52569c1b8ebb57d4ed8b6e72

    Download Submit

  • C:\Windows\2.exe
    Filesize

    8KB

    MD5

    c394a9601ca67310284e5caf8639aa7a

    SHA1

    c8a31cda953c2186a5cca406c3c81f8ca496a76a

    SHA256

    fd88329cb6e6c835680cd3f508baf4f89307a2a9d64f9fb64d0febd6abaa8b8e

    SHA512

    61f53c7005ea40be5d1792878978d9e335826a35da6dd8b9525b42982eaeaaa0a482a39536241b3877db626fd6780a5976a69b9b965a131c3bd36727e6494fb6

    Download Submit

  • C:\Windows\SysWOW64\LOVE4u.exe
    Filesize

    16KB

    MD5

    bf592ac520bf07c387ed71dfa820bfe3

    SHA1

    eab23e86917365c712906956cf86718297301d97

    SHA256

    208a82dde65d049def5641cf63c9c2dc62f6a712a7ebbb91d99c5ad5969b3c2d

    SHA512

    7d38841ddd2eaf8b1711039eeb0e575aaf583859c88a329a4718dfaa9748084666b167d3da78893b612b145d125c50797cc7fee267d140509374a5a5b46a0fde

    Download Submit

  • C:\Windows\SysWOW64\LoveVirus.exe
    Filesize

    16KB

    MD5

    d74139fbbb57f71d3af521d420ca122d

    SHA1

    aa894259c55b68cd313af5a7c2aaf683fc69a636

    SHA256

    1f0961dcd3aec70f02567333a8f4b9ab99d2f4664b8635656578e070b97870b0

    SHA512

    e96e3bb5fc2435cb6bfd5e934b726e0978ded6e71ffb193b686dcc07f472dd8012a713adc4f4c111ecbf49df7a4d42025d8b97ba22768fc37531d40dd3f6afc8

    Download Submit

  • C:\Windows\SysWOW64\WormVirus.exe
    Filesize

    14KB

    MD5

    ffee76301972cacb63253b98a7917fc4

    SHA1

    6307082d2c89abbb73f935accb6afe48d8f1bfe2

    SHA256

    09f28cd2ebc898b5e3285f412e103a5c021825a3a6f142ed7c833e63b8890025

    SHA512

    d152944254702c0604c0216548301b9f25c1de586eed2d0e1ac59ee132fa2345ec2c4be2b5c912ebb9492b87c18b0f8ddabf0154efb4586d53973b99e6b63d77

    Download Submit

  • C:\Windows\SysWOW64\fff.exe
    Filesize

    14KB

    MD5

    f6cb0534cc7d7bd87ab26d6e1d18198c

    SHA1

    5bba8eb54efc812b16cc3825e5230734a25cd1a0

    SHA256

    4429aab69e3dbc2d5a1d331868593e33d6696102d62eae3fa2372392aa7656ec

    SHA512

    e2642ac08ed65c8b801950a18d3e4e76089c3c68381d10786eb9092f4468ccb57712266fea58378f58b2872bc9345d02d4f465d723c5babe65ddff2ce8d778f7

    Download Submit

  • C:\Windows\SysWOW64\vip.exe
    Filesize

    110KB

    MD5

    5d8118807ceccd3652d908544fd2fbe5

    SHA1

    c68962530ae603a4e6d188a581f7ebb1f69b71c2

    SHA256

    9ba3c158cfebcb80c8b1708d316842eeb3ae9fe0a1487da2d38aa8010d8e870e

    SHA512

    94bb2fd96f84f5065c2cdddbed696f6b8878a8d8930448bc490d25b2ad4e91ad4397e755d2e350441efbb0e6f9f7401e1516c45e37b07d7c1430809bb1cd7c05

    Download Submit

  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\ErrorPageStyles.vbs
    Filesize

    57KB

    MD5

    0acb2045c25d91efe3d67166b650101a

    SHA1

    76c503ec1d87b8358eb8e226086baef23eb298cc

    SHA256

    deb9bfc6d236a35310eaa6c23cebb1542fbc2eab801285b87c4b828f22627091

    SHA512

    d9fbcab6ed8840e9b83fb83012db2d6895749ebd999a3676791c84449e9cbb0089ef111ad2a2aa1fe87a8a320cf52cf9df3b3f6ca9ac266f39cc290f95a3c466

    Download Submit

  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\PhishSiteStyles.vbs
    Filesize

    5KB

    MD5

    3517207921bc421e52b64ede4226134f

    SHA1

    67da2033c4b3eddf347433ac4e79e4a1379eaf81

    SHA256

    c34a78268a7338d1e5d1c0f0c44e5a8cc78f670d8c871261b6f8d302e0b29176

    SHA512

    713cd6ad7d14252ff9ed43898c1132968a306933c6b4c46327d07a945c1989ba8f5d149bbd8ffb59c211979e7c783e9c22bf6dec6c08e0bd46517411ddf0a546

    Download Submit

  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\TridentErrorPageStyles.vbs
    Filesize

    4KB

    MD5

    559a66b58cf5163690ab75559c8801fb

    SHA1

    b334704e65d0b492e78e71f65f455383060ac067

    SHA256

    807ebc19ab4a95f4f03096c7e6acca70d263fdf256d62484270a7ce539443272

    SHA512

    2a57029f8957a47a1d873c8e08c283c929c43e21e8c18764c8ca2ff812eaf999aabd9f28574f69d0a70437912c2a7d90909745c0b590a927fb5c73aa98c52a6f

    Download Submit

  • \??\c:\autoexec.bat
    Filesize

    114B

    MD5

    74a63c49f9ecf7cff6bff0851467621b

    SHA1

    2e6b5038d7f3e84030bdae3f11c62901586c7c5f

    SHA256

    ea535b042b12ca04d314b66a4839ac34b68cecafdcfd5bdf24657f824c95069c

    SHA512

    b06d3f343b8d6cd5bc87959ef227395f1f0b893160883bfabdada60833878882acf58a1f1fac23e0e1da1657b16f1ab67e41d1ef74d445f49db003325bc5f975

    Download Submit

  • \??\c:\autoexec.bat
    Filesize

    157B

    MD5

    3915be04cddf356afab2ee3f85afd5b7

    SHA1

    f3daadeaf9d12e779aee1fadd76138032af41a50

    SHA256

    3cba2c2f85b4ff2bdcf6c2ef4cffe7b8a6fd3bdcf0bf766de2afeaa4da09ea9c

    SHA512

    9e432babb1c13542a540675cd6a620d69670c1dd271720456c46149b7fe8d269d017f72426808e0b459401f79ca6889decf963099e5f02281be0a2d4fa6349aa

    Download Submit

  • \??\c:\autoexec.bat
    Filesize

    186B

    MD5

    b838f588f3a0a7edf29301fe68377a35

    SHA1

    b1d4a3b0f6fdb00e2590ba558dc04d8e71b61c70

    SHA256

    35f37a8d3dd955b148586b766044f26e84d1984ce6141f9db4db7efc3c724cf7

    SHA512

    b5bb27ae0d06ca694bd727f382518485f382cf7c59879254850262ac2edf9d6e1d63cb006975d08e12a00ceb13967edc042bcb15aae8f7d8412215c9df4ad2c4

    Download Submit

  • \??\c:\autoexec.bat
    Filesize

    215B

    MD5

    4adbecade850c398906d54eebdf39104

    SHA1

    24dce2a7d1ae9b05d801ac6eee09592bcceeb1f0

    SHA256

    519ad7b3e9ea502f05f5fd5edc6f9798dd5aac6227dee36685c7311e4e295219

    SHA512

    837e8084ccbe7374df618ecb61f87e41a69ba2f555f2c378adc4797f00325cb6e04f16439ba52f062ef12481279c68f1558c37b57bccc846dc92b74393f0f94d

    Download Submit

  • memory/112-28-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/112-48-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/456-65-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1844-120-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1844-88-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2344-37-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2644-121-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2644-89-0x0000000000400000-0x0000000000405000-memory.dmp

    Filesize

    20KB

    Download

  • memory/2960-10-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2960-124-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/2960-626-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3716-64-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4016-58-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4016-92-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4236-66-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4508-83-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download